← Dispatches

TLP:CLEAR · 2026-03-12

Behind the Firewall: Inside Handala's Origin Server, Hidden Domains, and the Architecture They Built to Outlast Every Ban

Handala's DDoS-Guard protection has a hole in it. The www. subdomain was never routed through the CDN. Hitting the origin server directly — 185.208.156.82, Global-Data System IT Corporation, Zürich — returns a live WordPress installation with its REST API wide open. From there: a complete operational timeline dating to December 18, 2023, a predecessor domain (handala.cx) that predates the known infrastructure by seven months, a dedicated bounty platform (handala-redwanted.to) running Microsoft IIS on Windows Server in Amsterdam, a Telegram persona named Akhira, and a four-month operational blackout in 2025 that ended exactly when their n8n automation server came online. We went through the firewall. Here is what was behind it.

The Misconfiguration

DDoS-Guard protects handala-hack.to — its edge node at 185.178.208.137 (Rostov-na-Donu, Russia) terminates external connections and geoblocks by IP, blocking our server, blocking Tor exit nodes, blocking everything it classifies as non-civilian traffic.

The protection has one gap. www.handala-hack.to resolves to 185.208.156.82 — a separate IP that bypasses DDoS-Guard entirely. This is a standard DNS misconfiguration: the operator pointed the apex domain through DDoS-Guard but forgot the www. record. The origin server sits fully exposed.

RecordIPVia
handala-hack.to185.178.208.137DDoS-Guard edge (Rostov-na-Donu, Russia)
www.handala-hack.to185.208.156.82Direct to origin server

The TLS certificate on 185.208.156.82 covers *.handala-hack.to and handala-hack.to — issued by Let's Encrypt (R12), valid through March 17, 2026. Sending HTTP requests to the IP with Host: handala-hack.to returns the full site without challenge.

The Origin Server

185.208.156.82 — Zürich, Switzerland — AS42624, Global-Data System IT Corporation. LiteSpeed web server. WordPress 6.9.1. One identified plugin: top-bar.

The WordPress REST API (/wp-json/) is fully accessible without authentication. The xmlrpc.php endpoint is blocked (403). User enumeration via /wp-json/wp/v2/users returns one registered account:

FieldValue
WordPress user ID1
Usernamevie6c
Profile URLhttps://handala.cx

The profile URL is the first thread. handala.cx is not in prior public reporting. Every published analysis of Handala infrastructure references handala-hack.to and handala.to. The WordPress author profile points somewhere else entirely.

The Original Domain: handala.cx

handala.cx (Christmas Island TLD) is the original Handala leak site — predating handala-hack.to by seven months.

DomainFirst TLS CertificateNotes
handala.cxDecember 11, 2023Google Trust Services issuer (GTS CA 1P5)
handala-hack.toJuly 24, 2024Let's Encrypt

The first cert on handala.cx was issued by Google Trust Services — unusual for a threat actor, but consistent with a Google-managed hosting environment or Cloudflare-fronted origin. Subsequent renewals switched to Let's Encrypt and Sectigo. The domain now returns no DNS A record — it has been retired — but the WordPress operator profile still points to it, establishing it as the original operational identity.

The first post published to the WordPress installation (ID: 17, December 18, 2023) contains the original channel listing:

Three Telegram channels at launch. The `x.com/handala_hack` account — later banned August 21, 2024 — was operational from the December 2023 start.
## The Complete Operations Timeline
The WordPress REST API returns all published posts in chronological order. This is the first complete public enumeration of Handala's operation history from origin, spanning December 2023 through March 2026:
**Phase 1 — handala.cx (December 2023 – February 2025)**
| Date | Operation | Target |
| --- | --- | --- |
| 2023-12-18 | First post | About Handala / Telegram channels |
| 2024-03-14 | Viber Messenger | Source code + management panel, 740GB, 8 BTC asking price |
| 2024-04-05 | Unit 8200 targeting | SIGINT unit personnel files |
| 2024-07-15 | Sheba Medical Center | Israel's largest hospital |
| 2024-07-26 | Innovalve Bio Medical | 3TB claimed, $300M valuation taunted |
| 2024-08-22 | EPS Tech | Military source code leak |
| 2024-09-23 | Benny Gantz | Former defense minister, war cabinet member |
| 2024-09-24 | Israel Defense Minister | Private photos |
| 2024-09-26 | Foreign Affairs Minister | Email archive |
| 2024-09-28 | **Soreq NRC** | Israel's primary nuclear research center |
| 2024-10-02 | Israel Prime Minister | Email archive |
| 2024-10-03 | **Shin Bet** | Internal Security Service |
| 2024-09-19 | Vidisco | Israeli defense electronics manufacturer |
| 2024-09-19 | Israeli Industrial Batteries (IIB) | Industrial infrastructure |
| 2024-10-06 | IIB data leak | Follow-on release |
| 2024-10-08 | Israeli Ambassador, Germany | Email archive |
| 2024-10-08 | Max Shop | |
| 2024-10-10 | Doscast | |
| 2024-10-28 | Agas | |
| 2024-10-30 | IM Cannabis | |
| 2024-11-03 | Elad Municipality | Local government |
| 2024-11-21 | SSV Blockchain Network | Financial infrastructure |
| 2024-11-24 | Silicom | Israeli networking hardware company |
| 2024-12-03 | Harel Insurance / Shirbit | Financial sector |
| 2024-12-16 | GNS Cloud | Cloud infrastructure provider |
| 2024-12-25 | Reutone | Christmas day operation |
| 2024-12-30 | Allen Carr's Easyway | |
| 2025-01-20 | Zuk Group | |
| 2025-01-29 | Ministry of National Security | |
| 2025-02-02 | Tosaf | Industrial chemicals |
| 2025-02-09 | Israel Police | |
**Phase 2 — Operational Gap (February 9 – June 14, 2025)**
Post IDs jump from 315 (February 9, 2025) to 320 (June 14, 2025) — a **four-month operational hiatus**. No published operations, no claimed victims. This gap aligns exactly with the period of post-X-ban restructuring: Handala lost its primary amplification channel (August 21, 2024), built the `gramatikservicesapi.top` n8n automation infrastructure (September 9, 2024), and spent the following months rebuilding operational cadence. They returned in June 2025 at significantly higher tempo.
**Phase 3 — handala-hack.to resumed (June 2025 – March 2026)**
| Date | Operation | Target |
| --- | --- | --- |
| 2025-06-14 | Israel fuel supply system | Multi-target campaign, 4 posts same day |
| 2025-06-18 | Weizmann Institute of Science | Nobel Prize-level research institution |
| 2025-06-23 | **Shelter Locations in Israel** | Civilian infrastructure targeting — coordinates disclosed |
| 2025-07-08 | **Iran International** | London-based anti-regime Persian media — 2.5-year persistent access claimed; WhatsApp, Signal, internal files |
| 2025-07-09 | Iran International staff doxxed | Iranian expat journalists' identities exposed; Mossad cooperation alleged |
| 2025-07-10 | Yinon Magal | Israeli media personality and politician |
| 2025-09-27 | **Amos Spacecom** | Israeli satellite operator; employee list released |
| 2025-10-07 | HPR entity formalized + RedWanted launched | Organizational restructuring announced |
| 2025-10-18 | Saturday Reckoning | Start of weekly Saturday personnel disclosure series |
| 2025-10-19 | Commemoration of Reza Awada | Hezbollah commander killed by Israel — ideological statement |
| 2025-11-29 | **Dr. Isaac Gertz** | Described as "Chief Nuclear Architect of the Zionist Regime" |
| 2025-11-29 | Unit 8200 personnel | SIGINT corps members doxxed |
| 2025-12-13 | Arrow / David's Sling engineers | Missile defense system personnel doxxed |
| 2025-12-17 | **Operation Octopus** | Naftali Bennett — former Prime Minister — personal communications; 200,000-message archive |
| 2025-12-28 | Tzachi Braverman | Netanyahu cabinet chief of staff |
| 2026-01-03 | Ayelet Shaked | Former Justice Minister, iPhone exfiltration, contact lists |
| 2026-01-03 | **15 SIGINT agents** | $50,000 RedWanted bounty per target |
| 2026-01-18 | Avraham Hayyim / Mehrdad Rahimi | Claimed Mossad agent identity exposure |
| 2026-01-21 | i24 Channel | Israeli English-language TV news network |
| 2026-02-19 | Sapir's Commander | IDF officer identity exposure |
| 2026-02-25 | **Clalit** | Israel's largest healthcare organization |
| 2026-03-07 | **Jerusalem Water Supply** | 423 GB exfiltrated; core infrastructure claimed crippled (via Handala Alert) |
| 2026-03-08 | **Israeli Weather Stations** | Military + civilian meteorological systems claimed wiped (via Handala Alert) |
| 2026-03-09 | **50 Senior IAF Officers** | Complete dossiers of Israeli Air Force officers involved in bombing campaigns; linked to RedWanted (via Handala Alert) |
| 2026-03-11 | **Stryker Corporation** | 200,000 devices wiped via Intune MDM — largest single-operation device count claimed |
Total documented operations: **130+** since December 18, 2023. The above are selected high-significance entries. The full post archive on the origin server (REST API, unauthenticated) contains the complete record. June 2025 alone saw a burst of 20+ operations against Israeli companies as the group returned from its four-month hiatus at dramatically higher tempo.
**Operations not yet on the main WordPress blog (sourced from handala-alert.to, the new media hub):** Saudi Aramco, Sharjah National Oil Corporation (UAE), Israel Institute for National Security Studies (INSS), IDF Farsi social accounts. Dates unconfirmed from this source.
## Post Timing: Operator Working Hours
Analysis of all 100 post timestamps (UTC) reveals operator working patterns:
| UTC Hour | Post Count |
| --- | --- |
| 08:00 | 9 |
| 10:00 | 8 |
| 12:00 | 10 |
| 13:00 | 8 |
| 14:00 | 13 (peak) |
| 15:00 | 5 |
Peak activity window: **08:00–15:00 UTC**. In Tehran (UTC+3:30), this maps to **11:30–18:30 local time** — a standard Iranian working day. The distribution drops sharply after 16:00 UTC (19:30 Tehran), consistent with end-of-shift behavior. The n8n automation server uses `Asia/Jerusalem` timezone (UTC+2/+3), but operator posting patterns are consistent with an Iranian time zone, not an Israeli one. The `Asia/Jerusalem` timezone on the automation server likely reflects targeting focus — automating campaigns in Israeli business hours — rather than operator location.
## The Tor Onion: A Placeholder
`vmjfieomxhnfjba57sd6jjws2ogvowjgxhhfglsikqvvrnrajbmpxqqd.onion` is reachable via Tor SOCKS5 proxy. It returns:

The response body is empty. All enumerated paths return 404. The Last-Modified timestamp — July 22, 2024 — is two days before the first handala-hack.to TLS certificate was issued (July 24, 2024). The onion was provisioned as a blank nginx placeholder simultaneously with the clearnet infrastructure buildout. It exists to demonstrate Tor capability and provide a persistent hidden address, not to serve content.

DDoS-Guard blocks Tor exit nodes specifically. When accessing handala-hack.to via Tor, the __ddg9_ tracking cookie logs the exit node IP (observed: 185.220.101.47). The geoblocking is not country-based alone — it maintains an active Tor exit node blocklist.

The RedWanted Platform: handala-redwanted.to

handala-redwanted.to is a separate infrastructure deployment from the main WordPress site, discovered via post content referencing the domain.

PropertyValue
IP192.142.53.75
HostingAS214036, Ultahost, Inc. — Amsterdam, Netherlands
StackMicrosoft IIS/10.0 (Windows Server)
ProtocolHTTP only — no TLS certificate
Favicon sourcehandala-hack.to/wp-content/uploads/2025/07/ — links both sites

The Windows Server / IIS stack is the most operationally significant detail. The main site runs LiteSpeed on Linux. The automation server runs n8n on Ubuntu/Docker. RedWanted runs IIS on Windows. This indicates a different developer or team member built this application — someone working in a Windows environment, likely using ASP.NET or Node on Windows.

The platform is a custom application with Bootstrap 3 frontend and server-side filtering. Target categories as enumerated from the filter dropdown:

CategoryNotes
Elbit SystemIsrael's largest defense contractor
BIRD AeroSystemsAirborne EW and self-protection systems
Iron DomeAir defense system engineers
Israel Air ForceIAF personnel
Weizmann InstituteScientific research institution
Israel Ministry of Defense
UCAV/UAV IndustryDrone warfare technology
NSO GroupIsraeli spyware developer
Patriot Missile SystemUS air defense system
David's Sling SystemMulti-tier missile defense
ELTA SystemsIAI subsidiary — radar, EW, SIGINT
Israel Sea ForceNaval forces
RafaelDefense manufacturer (SPIKE, Iron Dome)
SoreqNuclear research center
Arrow Weapon SystemBallistic missile defense
IAIIsrael Aerospace Industries
Unit 8200SIGINT intelligence corps
C4I SystemsCommand, control, communications
Amos SpacecomIsraeli satellite operator
AmanMilitary intelligence directorate
Haifa AcHaifa Academic institutions (Technion / University of Haifa)
Indoor Robotics LtdIsraeli civilian indoor drone company — extends targeting to civilian technology sector

The inclusion of Patriot Missile System is significant: this extends Handala's declared targeting beyond Israeli entities to US defense infrastructure. The NSO Group category indicates the group tracks both Israeli defense contractors and Israeli intelligence software vendors.

Platform profiles use AI-assisted generation — verbose, threatening first-person surveillance narratives built from LinkedIn and public career data. Each profile ends with a reward amount (typically $30,000–$50,000) payable in cryptocurrency, with a contact link for tip submission.

The Akhira Identity

@HPRNEW on Telegram — the HPR INTELLIGENCE announcement account — displays the name "Akhira" (آخرة). The name translates from Arabic as *the Hereafter* or *the Afterlife* — the Islamic concept of the world after death. This is a persona or operator handle, not a channel name. The Telegram page returns "You can contact @HPRNEW right away" — indicating a personal account or bot, not a public broadcast channel, consistent with the account functioning as a direct contact point for tip submission and operator communication.

Live probing of the WordPress origin server identified three additional accounts not previously documented in public reporting:

AccountPlatformNotes
@Handala_RedX/TwitterEmbedded in WordPress theme social links block — dedicated account for the RedWanted bounty platform
@Handala_newsX/Twitter"Sunset of the Lions" — announced January 25, 2026; fourth X presence post-ban
t.me/HANDALA_HPR2Telegram811 subscribers; active as of March 11, 2026; amplified the Stryker operation

The account proliferation reflects a deliberate resilience strategy: maintain multiple parallel presences so that any single ban does not eliminate reach. The original @Handala_Hack was banned August 21, 2024. @HPRNEW followed. @Handala_Red and @Handala_news were built in parallel. Each account serves a distinct function: @HPRNEW for general operations, @Handala_Red for the bounty platform, @Handala_news for media amplification.

The Exposed Database

PostgreSQL is internet-exposed on port 5432 at 64.176.169.27 (gramatikservicesapi.top, the n8n automation server). The server responds to connection requests and presents SCRAM-SHA-256 authentication:

The database is not open — authentication is enforced. But its internet exposure is an additional misconfiguration: a properly secured n8n deployment should bind PostgreSQL to `127.0.0.1` only. This server has PostgreSQL accessible on any interface, protected only by the password.
## Handala Alert: The Expanding Infrastructure
The WordPress origin server contains a post (January 3, 2026, ID 607) announcing a new operational division: **Handala Alert**, described as the "media and operational arm of HPR." A live domain — `handala-alert.to` — was registered for this division.
| Property | Value |
| --- | --- |
| Domain | `handala-alert.to` |
| IP | **82.38.63.237** |
| Hosting | AS214036, Ultahost, Inc. — Falkenberg, Sweden |
| Stack | **Microsoft IIS/10.0** (Windows Server) — same stack as handala-redwanted.to |
| Last-Modified | March 10, 2026 (active, updated 2 days before this writing) |
The Swedish hosting (Ultahost, AS214036) mirrors the infrastructure pattern seen across other Handala assets — low-profile European VPS providers that avoid major hosting ASNs. The Microsoft IIS/Windows stack matches handala-redwanted.to exactly, indicating the same developer built both platforms.
Handala Alert operates as a news aggregator and media hub: it publishes operation announcements, links to third-party coverage, and serves as the release point for operations that have not yet been published to the main WordPress blog. The March 2026 operations documented in the timeline above (Jerusalem water supply, weather stations, 50 IAF officers) appeared on handala-alert.to days before the main site. The site also links to two internal documents: `handala-briefing-1.pdf` and `handala-briefing-2.pdf` — both returning 403 as of this writing.
The declared mandate of Handala Alert includes: media support for allied resistance groups, partisan operations inside Israel, recruitment inside Israeli territory, intelligence acquisition, and support for anti-regime groups abroad. The last category — "support for anti-authoritarian groups abroad" — marks an explicit expansion of scope beyond Israeli targets.
## Infrastructure Map: The Full Picture
| Domain | IP | Hosting | Stack | First Seen |
| --- | --- | --- | --- | --- |
| `handala.cx` (offline) | — | Unknown | WordPress | Dec 11, 2023 |
| `handala-hack.to` (via DDoS-Guard) | 185.178.208.137 | DDoS-Guard, Russia | Edge node | Jul 24, 2024 |
| `handala-hack.to` (origin) | **185.208.156.82** | AS42624, Zürich CH | WP 6.9.1 + LiteSpeed | Jul 24, 2024 |
| `handala.to` | 103.224.212.206 | Trellian parking | FingerprintJS redirect | Active |
| `handala-redwanted.to` | **192.142.53.75** | AS214036, Amsterdam NL | IIS/10.0, Windows | Dec 2025 |
| `gramatikservicesapi.top` | 64.176.169.27 | AS20473 Vultr | n8n 1.61.0 + PostgreSQL | Sep 9, 2024 |
| `handala-alert.to` | **82.38.63.237** | AS214036, Ultahost, Sweden | Microsoft-HTTPAPI/2.0, Windows | Jan 3, 2026 |
| Tor onion | — | — | nginx (blank) | Jul 22, 2024 |

Intercept Cell Research is a Cipher Cortex research program. Hooked Scams is a scam investigation series from Intercept Cell Research.